Van Buren v. United States
593 U.S. 374 (2021)
Premium Feature
Subscribe to Lexplug to listen to the Case Podcast.
Rule of Law:
The 'exceeds authorized access' clause of the Computer Fraud and Abuse Act of 1986 (CFAA) applies only when an individual accesses a computer with authorization but then obtains information located in specific areas of the computer, such as files, folders, or databases, that are off-limits to them, not when they merely misuse information that is otherwise available to them for an improper purpose.
Facts:
- Nathan Van Buren was a police sergeant in Georgia.
- Van Buren developed a friendly relationship with Andrew Albo, whom his department considered 'very volatile.'
- Van Buren asked Albo for a personal loan, which Albo secretly recorded and reported to local law enforcement, claiming Van Buren sought to 'shake him down' for cash.
- The Federal Bureau of Investigation (FBI) devised a sting operation, instructing Albo to ask Van Buren to search a state law enforcement database for a license plate number, purportedly to check if a woman Albo met was an undercover officer, in exchange for $5,000.
- Van Buren used his patrol-car computer and his own valid credentials to access the state law enforcement database.
- Van Buren searched the database for the license plate number Albo provided, obtained the FBI-created license-plate entry, and told Albo he had information to share.
- Van Buren had been trained that using the law enforcement database for 'any personal use' was an 'improper purpose' and thus knew the search breached department policy.
Procedural Posture:
- The Federal Government charged Nathan Van Buren with a felony violation of the Computer Fraud and Abuse Act of 1986 (CFAA) and honest-services wire fraud.
- A jury convicted Van Buren of both charges.
- The District Court sentenced Van Buren to 18 months in prison.
- Van Buren appealed his conviction to the United States Court of Appeals for the Eleventh Circuit, arguing that the 'exceeds authorized access' clause applies only to those who obtain information to which their computer access does not extend, not to those who misuse access they otherwise have.
- The Eleventh Circuit panel affirmed Van Buren's CFAA conviction, holding that he had violated the CFAA by accessing the law enforcement database for an 'inappropriate reason,' consistent with its Circuit precedent. (Note: The Eleventh Circuit vacated Van Buren’s honest-services fraud conviction in a separate holding not at issue before the Supreme Court).
- The Supreme Court granted certiorari to resolve the circuit split regarding the scope of liability under the CFAA's 'exceeds authorized access' clause.
Premium Content
Subscribe to Lexplug to view the complete brief
You're viewing a preview with Rule of Law, Facts, and Procedural Posture
Issue:
Does an individual 'exceed[] authorized access' under the Computer Fraud and Abuse Act of 1986 when they access a computer with authorization and obtain information for an improper purpose, even if they are otherwise authorized to access that information?
Opinions:
Majority - Justice Barrett
No, an individual does not 'exceed[] authorized access' under the CFAA when they access a computer with authorization and obtain information for an improper purpose, if that information is otherwise available to them. The Court's interpretation hinges on the statutory definition of 'exceeds authorized access,' which means 'to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.' The crucial phrase 'is not entitled so to obtain' refers to information a person is not entitled to obtain by using a computer that he is authorized to access. The word 'so' acts as a term of reference to the previously stated 'manner or circumstance' in the definition itself, meaning 'using a computer one is authorized to access,' and does not incorporate broader, circumstance-based limits found in policies or contracts. This reading is not superfluous, as 'so' clarifies that the entitlement must be to obtain information specifically by using a computer, preventing defenses based on non-digital access rights. The statutory structure also supports this view; both the 'without authorization' and 'exceeds authorized access' clauses involve a 'gates-up-or-down' inquiry regarding access to a system or specific areas within it, unlike the government's inconsistent, purpose-based interpretation. Furthermore, the CFAA's civil liability provisions defining 'damage' and 'loss' focus on technological harms to computer systems or data, not on the 'misuse' of information that an authorized user could permissibly access. Legislative history also undermines the government's position, as Congress removed language from the 1984 Act that expressly covered using access 'for purposes to which such authorization does not extend,' indicating an intent not to cover purpose-based limitations. Finally, the government's interpretation would criminalize a vast amount of commonplace computer activity, such as sending personal emails from a work computer or violating website terms of service, an implausible result that the Court avoids.
Dissenting - Justice Thomas
Yes, an individual does 'exceed[] authorized access' under the CFAA when they access a computer with authorization and obtain information for an improper purpose, even if they are otherwise authorized to access that information, because entitlements are inherently circumstance-dependent. Justice Thomas argued that a person is 'entitled' to do something only if 'proper grounds' or facts are in place. Since Van Buren lacked a law enforcement purpose, the 'proper grounds' for obtaining the license plate information were absent, meaning he was not 'entitled so to obtain' it in those specific circumstances. This aligns with basic principles of property law, where the right to use another's property is typically circumstance-specific (e.g., a valet using a car for parking, not joyriding; trespass when authorized entry is used for an unauthorized purpose). The dissent contended that the CFAA protects against both unlawful entry and unlawful use after entry, with both the 'without authorization' and 'exceeds authorized access' clauses involving a circumstance-specific analysis. The removal of 'purpose' from the statute's language in 1986 broadened, rather than narrowed, its scope by replacing a specific, limited term with the broader 'not entitled,' encompassing purpose-based and other restrictions (like time and manner). Concerns about overbreadth are overstated, as the strict 'intentionally' mens rea requirement and the limitation to 'obtaining or altering information in the computer' would plausibly narrow the statute's reach, preventing prosecution for truly innocuous conduct. The defined term 'exceeds authorized access' itself also supports an interpretation that aligns with the common understanding of exceeding given authority, which is circumstance-dependent.
Analysis:
This landmark decision significantly narrows the scope of the Computer Fraud and Abuse Act (CFAA), shifting its focus from improper purpose to unauthorized location or area of access. It limits federal prosecutors' ability to bring criminal charges for violations of employer computer-use policies or website terms of service, unless the user gains entry to a part of the system explicitly off-limits. This ruling will likely lead to fewer federal prosecutions for 'insider' misuse of computer systems and may encourage organizations to rely more on internal disciplinary actions, civil lawsuits, or more robust technical access controls to prevent misuse.
